Re: AW: ICMP (Ping)

[<jfastabe () up edu>]

nmap's default behavior is to do a ping sweep and a port 80 ack sweep.

john.


On Mon, 8 Sep 2003, Meidinger Chris wrote:

> Nmap ping scans first unless you tell it not to.
>
> > From the nmap manpage at
> http://www.insecure.org/nmap/data/nmap_manpage.html:
>
>        -P0    Do  not  try  and ping hosts at all before scanning
>               them.  This allows the scanning  of  networks  that
>               don't  allow  ICMP  echo  requests  (or  responses)
>               through their firewall.  microsoft.com is an  exam?
>               ple  of  such a network, and thus you should always
>               use -P0 or -PT80 when portscanning microsoft.com.
>
> Wouldn't this be a reliable measure of whether people are likely to ping
> scan first or just vuln scan right away?
>
> -----Urspr?ngliche Nachricht-----
> Von: Halverson, Chris [mailto:chris.halverson () encana com]
> Gesendet: Montag, 8. September 2003 18:14
> An: 'Tim Greer'; Jay Woody
> Cc: security-basics () securityfocus com
> Betreff: RE: ICMP (Ping)
>
>
> I hate to say it but I do completely agree with Tim.  If you get a free tool
> of superscan from FoundStone or most any other and you could scan an entire
> subnet for open services or ports that seem interesting in 30 minutes.
> Seeing a webservice that is open or a telnet port would allow most of them
> to zero in on that server.  ICMP replys are usually irrelevant.  I usually
> disable the service for the reason that when you are configuring Cisco
> Routers it is another access list command to enter.
>
> Chris
>
> -----Original Message-----
> From: Tim Greer [mailto:chatmaster () charter net]
> Sent: Friday, September 05, 2003 4:40 PM
> To: Jay Woody
> Cc: security-basics () securityfocus com
> Subject: RE: ICMP (Ping)
>
>
> On Fri, 2003-09-05 at 14:29, Jay Woody wrote:
> > > > What purpose would seeing a response from a ping serve to a
> > > > kiddy looking to deface web sites?  If they are going to attack
> > > > you randomly, why do you assume that they would stop to
> > > > think when they are blindly attacking networks/ips anyway?
> >
> > Here is how it works again.
>
> How what works?  How you assume they will attack the network or probe it?
>
> >   They scan a range and then go back and run
> > a port scan/vuln scan against what replies.
>
> Most just simply run them.  If they are up, they are up.
>
> >   They don't run vuln scans
> > randomly against ranges,
>
>
> Yes, actually, 'they' do.
>
> >  they run ping sweeps randomly against ranges,
> > those that reply get more attention.
>
> Not really.  Some people may do that, but experience dictates otherwise.
> The people that randomly probe just do it, they don't make a list to spend a
> lot of time on unless it's an intentional, known target they have some
> desire to break into.
>
> >   So how would not replying help?
> > Well by getting less attention obviously.
>
> Why do you assume that out of millions of Ips that respond, one will get
> more attention than another?  If you are correct and someone collects a list
> of "I'm live, I'm here" responding Ips are to later be targeted, that's one
> thing, but I've never seen that.
>
> >   They aren't "blindly
> > attacking networks/ips anyway".  They are blindly scanning or sweeping
> > networks/ips through the use of pings.
>
> You assume so, but it's more likely a blind probing.
>
> >   They are not so blindly (but
> > almost) running a port scan those that reply.  Then they are running a
> > vuln scan against the boxes that just told them they were a certain
> > OS, etc.
>
> Almost all scanners and worms even, will hit the range of IPs and not care
> if it responds to pings.
>
> > > > Running a scanner to look for open ports of vulnerabilities
> > > > in services, as not going to change because you don't reply
> > > > to ping requests.  Those scans will check the ports and
> > > > services on said IP--not give up if it can't get a ping
> > > > response.
> >
> > Man, dude, where do I start on this one?  :)  Yes, running something
> > like that would behave exactly as you describe (I think).  However,
> > that isn't at all what anyone has said.  Again, they "scan" the
> > ADDRESSES in a range for a simple reply and then run a port scan/vuln
> > scan against those that reply.
>
> > From what I've seen, that's not the case.  They don't first check to
> > see
> that it's alive, they can see it's alive without waiting for a ping
> response.  They will most likely initially scan for common services to see
> if it's alive.  Not only is it more accurate, but it's also telling them
> that the service they want to test is up.
>
>
> >   Your point is that if they don't respond to pings,
> > they likely won't respond to vuln scans.
>
> No, I didn't say that.
>
> >   The script kiddies say the
> > same thing in reverse.
>
>
> Huh?  That's what I said.  I said that will scan it, not caring if it
> replies from a ping request.
>
> >   If you respond to a ping you likely will give up
> > more information if asked.
>
> But less helpful information than you would getting a response from a
> service you are looking for being up.  Hence, ping is irrelevant, they will
> hit the ports/services to see if they should "come back".
>
> >   Again, they scan the range for replies and
> > then run a port scan/vuln scan against the replies for more info.
>
> They do?  How do you know this?  How do you know that's what most or all of
> the script kiddies do?
>
> >   They
> > don't blindly run a vuln scan against a range.  That would be even
> > more stupid and waste time.
>
> Uh, we're talking about random scans/probing and script kiddies and you
> think that's unlikely because it would be 'stupid'?  This is why script
> kiddies are a joke and why ping responses are not going to make a
> difference.
>
> > > > And that doesn't relate to the type of attacks being
> > > > discussed.  That's another, less serious issue anyway.
> >
> > Uh, OK.
>
> Indeed.
>
> >   The question was should your devices reply.
>
>
> Yes, that was the question.
>
> >   There is not an
> > ATTACK there.
>
>
> No, there's certainly not.
>
> >   The statement was that no, they shouldn't because then
> > you get more interest from the kiddies.
>
> Not really, but you don't have to share my opinion nor belief.
>
>
> >   You said no you don't and I
> > said yes you do.
>
> Yes, that's correct.. that appears to be what we said.
>
> >   Haven't heard about any attack mentioned at all.
>
> Haven't you been reading what I said?
>
> > Also, if you think having your web page defaced is not serious, then
> > ask Nike how much the press hurt them and ask Microsoft how much money
> > they spend on making sure it doesn't happen to them.
>
> Who is their lack of security an issue when it comes to how much 'attention'
> a ping response will get you or not?  I don't believe it will, because
> random scans will randomly scan you anyway.  I've disabled ICMP for ping
> requests on different networks and I see the same amount of probing/scanning
> activity on them as one's with it enabled.  As for Nike and MS, they are
> targets, it has no bearing on them responding to ping requests.
>
>
> >   If you are a seller,
> > then having your web page defaced and pointing people to a site that
> > gathers their credit card numbers would be decently serious I would
> > think.
>
> Ping responses have absolutely no bearing on the security of your server/web
> site.  It's either secure or it's not.  You have the opinion that someone's
> going to randomly ping Ip's looking for responses, rather than simply seeing
> if a service is running, is going to save some people from being
> compromised.  I disagree.  If your security is so slack that a script kiddie
> can later come back simply from seeing the IP was pingable, then you have
> bigger concerns than ping responses to worry about.  Also, consider this; if
> you have someone skilled enough to have any chance of getting into most
> servers, those will not likely be the type of people that will think a ping
> response means anything and, instead, they will be scanning for open
> ports/services.  No, ping doesn't hide you.
>
>
> > > > No, they'd probe for vulnerabilities by domain or IP, the
> > > > ping response plays no role in that situation.
> >
> > If they are probing for vulnerabilities by domain (and I am not 100%
> > sure what you mean there), then they are retarded.
>
> That depends on how you look at it.  They may have specific types of sites
> that they want to compromise.  Grabbing a list of domains (ie., from an old
> whois db) would serve up all the domains with 'shop' in them, for example.
> Either way, someone's that's going to randomly scan IP ranges with no target
> in mind, is retarded anyway.  I don't know about you, but I don't worry
> about those type.
>
>
> >   I said that they
> > deface the web page and move on and you reply that they scan for vulns
> > by domain.
>
> Pings have nothing to do with web site defacement.  Poor security does.
> How someone finds them, is irrelevant.  Lack of a ping response doesn't hide
> you.
>
>
> >   Again, the ping response plays a HUGE role.
>
> I disagree.
>
> >   They ping a
> > group of addresses, if you don't respond they move the FREAK ON.
>
>
> Unless they just happen to test for more accurate results, which a skilled
> enough cracker to be a threat would be doing anyway.
>
> >   If you
> > do, they run a port scan, then a vuln scan against you.
>
> Or they just do anyway, since we're talking about retards.
>
>
> >   By not
> > replying, you stop the kiddies from looking (in addition to many of
> > the other DDoS issues mentioned already).
>
> You're living in a dream world if you really think you saying this makes it
> true.  As for some types of attacks, I stated, depending on what protocol,
> it couldn't hurt and may help minimize damage.  As for site defacers and
> people looking to crack your box, forget it, it makes absolutely no
> difference.
>
> >   "[T]hey'd probe for
> > vulnerabilities . . . IP", yep, exactly and where did they get the IP
> > address?
>
>
> Where exactly do you think they get the IP to ping in the first place?
> They hit it and see.  Instead of hitting it for an unhelpful ping response,
> they hit services or ports and see if it's up and a potential target.
> Responding to pings doesn't make you a target.
>
> >   By the freaking ping reply.
>
> Like I said, how do you imagine they get those IP's to try and get a ping
> response from?  What is this, a joke?
>
> >   No reply, less attempts.
>
>
> In your opinion.
>
> >   I am
> > just not saying it right or something, so help me see where we are
> > missing it.
>
>
> I've been trying.
>
> > > > That is irrelevant.
> >
> > Then your point is irrelevant,
>
>
> No.
>
> >  because I was agreeing with your point.
>
> No, you weren't.  Read the responses.
>
> > Sure, some people see a site and say, "I want to hack that particular
> > company."  99% don't.
>
>
> And those 99% will scan for services being up, not give up on a lack of a
> ping response--that means nothing.
>
> >   They say, I want to hack 40 sites in a week.  I
> > don't give a crap who, so let's see who replies.
>
> And they'll start scanning ports/services.
>
> > > > True.  You're either vulnerable or not.  But it depends on the
> > > > type of attack and on what service or protocol.
> >
> > And if you don't reply to pings then 90% of the kiddies never even try
> > to find out what will work against you.
>
> No.  Refer to above.
>
> > > > No it doesn't.  Skripties are stupid by nature.  They hit
> > > > blindly with the scanners, the scanners don't give up if
> > > > there's no ping response,
> >
> > See, here is where you keep missing it.
>
> This is ironic.  Do I need to explain?
>
> >   They DO NOT blindly run vuln
> > scans.
>
> Says who?  Says you?  Why are you so certain people will check for a measly,
> means nothing ping response, instead of just testing fir a response on a
> common port, like port 80--after all, they _are_ after web servers.  Just
> because you say it, doesn't make it so.
>
> >   They blindly run Ping sweeps.
>
> There's no rule to say that's what they _must_ do and, again, in my
> experience, that's not the case.  Are you more worried about the people that
> think they need to ping a server to think something's there, or the more
> thoughtful cracker whom checks to see if you have services running, because
> they know pings don't matter?  So, your entire point and reasoning
> therefore, is that you can do this to prevent the most clueless script
> kiddies that use the most suckiest tool/scanner, from trying to deface your
> web site?  Does that really worry you... at all?
>
> >   They scan a range and see who
> > replies
>
> I'm sure you're familiar with the term "middle man" and 'cutting them out'?
> Why would they do this, when they can simply check to see if you have a
> specific service listening on its port?
>
> >  and then they run the port scan that you describe against just those
> > areas that replied.
>
> I suppose that they could.  Sounds like double the work.  I'm not worried
> about the people that are literally that stupid--to be doing double the
> work.  You should be worried about the more skilled people, if any.
>
> >   Then they run the vuln scan against just
> > those addressed that replied and that have a certain OS, etc.
>
> And they can do this without the delay.
>
> >   That is
> > well known.
>
> And my examples of why this doesn't matter are valid.
>
> >   So either you are saying they run vuln scans against huge ranges,
>
> Yes, the idiots that think a ping response means anything useful, will
> indeed be stupid enough to just let it rip and scan ip ranges.  It has the
> same effect anyway--if something is there, it's there.  If it's not, it's
> not and their scan will skip it or move on.  They randomly scan ip ranges to
> compile a list of servers that are running certain services, not just see
> what IP's respond. That's pointless.
>
> >  which isn't true
>
> It is true.  Try and deal with it.
>
> >  or you are saying that ping sweeps or scans
> > will still document you when you don't reply, which is also not true.
>
> Okay, so you're claiming that it's not true that scans on port 80 to see if
> there's a web server aren't purpseful (or even more so) than just seeing if
> the IP responds?
>
> > They don't run an in depth scan until they see if you are alive or
> > not.
>
> Who said it had to be in-depth?  They can check for even only one relevant
> service, like a web server--since they are defacing web sites (or intending
> to).  Which is more valuable?  A response saying the server is up, or the
> server is up and running a web server?  Why is this so difficult to fathom?
>
> > If you are not alive, why waste their time,
>
> But that's just it, no one cares if the IP responds saying it's alive or
> not.  It is just as quick and more logical and efficient to just straight
> out check and see if a service is up.
>
> >  there are plenty of people
> > that are.
>
> Yes, that's right.  Script kiddies likely waste a lot of time... like
> compiling a list of IPs that are alive at that very time, which means
> nothing.
>
>
> >   I run Zone Alarm at home.
>
> Okay, I won't ask why you do.
>
> >   They ping me and I don't reply,
>
> So?
>
> > now they could run a suite of vuln scans against me and an hour or
> > more to see what is turned up OR they could move to next door
> > neighbors PC where the password is password.
>
> Or, they can see if you're a server running a web service and mock you about
> how you thought they'd have moved on because you didn't respond to silly
> little ping requests.  I'm honestly not saying this to insult you, but I
> don't see how you can argue the point... perhaps you just think the same
> about me and my points.  Oh well.
>
> >   They just move on.
>
> Or so you assume.
>
> >   They are looking
> > for the slow, stupid ones on the fringe to gobble up.
>
>
> So, you're saying people that don't drop ping responses are stupid?
> Odd, I've only disabled responses on maybe 5 servers in the last 8 years and
> I've never been compromised... it must not be the ping factor at play.
>
> >   If you don't
> > reply to a ping, most script kiddies will simply move on.
>
> I think the better question is, who would worry about such script kiddies
> that use those tactics anyway?  I mean, you do secure your servers and
> network, right?
>
> >   That has been
> > the opinion espoused by a great majority of responders to this thread,
> > so I am obviously not the only one that feels this way.
>
> Hey, there's nothing wrong with doing this in my opinion, I just don't see
> the point to use it in any way at all to prevent being attacked or your
> system compromised.
>
> > > > they are busy checking to see what's running on the various
> > > > ports that particular scanner scans.  It's almost contradictive
> > > > to use script kiddie and 'dig deeper' in the same sentence.
> >
> > Not if you didn't reply to a ping they don't.
>
> Fine, don't read any single thing I said.  I am tired of repeating myself.
>
> >   Think about it man.
>
> Irony...
>
> >   If
> > you ping sweep a range of 255 addresses and 20 respond and you are a
> > little kiddie, you are going to focus on those 20, crack 5 quickly and
> > go brag about it.
>
> Maybe those 20 servers should have been secured at some point, would be my
> question?  I'd demand to know how someone could be so incompetent to get
> cracked by a script kiddie.
>
> >   You are not going to kick off your favorite little
> > vuln scanner against addresses that "aren't up"
>
> Sure you are... maybe you aren't, but enough do.
>
> >  in the hopes that maybe
> > one is, spend all night dicking with that one and then having nothing
> > to brag about.
>
> Or, like I said, they actually look for one's that are targets, seeing if
> they are running a service, not just alive.  Oh, I've explained this to
> death.
>
> >   It is a numbers game.  They want to be able to say they cracked X
> > number last night.
>
> So having the middle man, rather than just checking to see if a service is
> up makes their task faster somehow?  How's that?
>
> >   Not that they spent all night scanning a
> > range and then finding out that indeed there really were no other
> > boxes there.
>
> And the scanner moves on if there's no service they are targeting, just as
> it would if there was no ping response--but is more accurate.
>
> > > > But they aren't looking for boxes that reply to ping requests,
> > > > they hit the IP on various ports to check to see if that port/
> > > > service responds and with what.
> >
> > I am beginning to think you are screwing with me now.
>
> I know the feeling.
>
> >   Surely you have
> > downloaded one of these things.
>
> How is that relevant?  I could code a script to check for the 5 common
> services on a server and iterate through however large of an ip range I
> wanted and just collect a list to hit... why the heck would I care about
> pings responding?
>
> >   They don't do that at all.
>
> You should find a better source for your script kiddie tools then.
>
> >   They first
> > sweep a range and gather addresses.
>
> Perhaps if they are using the most lame tool around?
>
> >   Then they compile that in a list.
>
> Why not compile a list of systems actually running a service you are
> targeting?
>
> > Then they run their port scan/vuln scan against each of those IPs and
> > THAT scanner is what looks for ports, weak passwords, etc.
>
> I know what you're saying.. you're saying "You can waste all night on one
> server that may not be there, so they first check for a response."
> As logical as that may sound to you, the method of scanning for the relevant
> services is just as quick as checking for a ping response.  If there's no
> services up that you're targeting, you move on...
>
>
> >   The point
> > being made here, over and over, is that if you are not one of the
> > addresses on the list, then the scanner isn't run against you.
>
> My point being;  If they use that sort of scanner and strategy.  Most don't
> from my years of experience auditing logs.  Also, the fact that who cares
> about these fools, secure your system and don't worry about it.  And,
> finally, that the one's skilled enough to even have a chance will have
> either targeted you to be interested in the first place, OR, they will use a
> more accurate method to compile a list of IPs that are running actual
> relevant services.
>
> Random scans for live IPs doesn't equate to the person wasting their time
> trying every possible exploit on the IP--they will still check for the
> common services and vulnerabilities.  As you said yourself, the goofs want
> to move on, they aren't going to do an in-depth scan of a server that isn't
> going to give up root soon anyway by your logic.  And, with a secured
> server, who cares about these idiots?
>
> >   How do
> > you stay off of the list?
>
> Why do I care if I'm on it?
>
> >   Well, how did you get on it?
>
> By not worrying about irrelevant things and feeling safe about something so
> trivial?
>
> >   You responded
> > to a ping.
>
> Okay, I'm not worried, why are you?
>
> >   No response equals less kiddie attacks.
>
> So?  These are the people you'd be worried about?
>
> >   Period.
>
> In your opinion, my experience dictates differently.  Perhaps yours is not
> the same.
>
> >   Less
> > script kiddie attacks means more time to get the vulns patched and
> > less of a chance that a bonehead move gets you compromised.
>
> No script kiddie that lame is going to get into a server anyway.  That's all
> there is to it.  A script kiddie smart enough to try with a 0-day exploit
> wouldn't have a chance if they were tat random about it anyway.
> They'd try the exploit through IPs, not make a lost to try... it would have
> the same result.  If they can't figure that out, they aren't a threat.
>
> > > > Like I said, a dumb ass script kiddie will hit the ports
> > > > checking the services for vulnerable services.  Ping
> > > > response or not makes absolutely no difference.
> >
> > And like I said, it absolutely does.
>
> Fine, we can disagree.
>
> >   They are not doing random port
> > scans.
>
> They are, they will and they do.
>
> >   They are doing random PING SWEEPS and then doing semi-random port
> > scans on those that REPLY.
>
> I'm sure that _some_ are, sure.
>
> >   Then running specific vuln scans on
> > boxes that replied as needed to the port scans.
>
> If they think it's a viable target, sure.  However, a ping response or not,
> will not be what determines how much time they want to waste.  So, a ping
> response or just cutting the middle man out of the picture and checking for
> relevant services... either way, it makes no difference.
> If you're vulnerable, you get 'got'.  End of story.
>
> >   You seem to think they
> > just jump right into the port scanning world and they just don't.
>
> I tend to think they do, because that's the nature of the script kiddie.  If
> they use the method you outlined, so be it... either way, there's enough out
> there that do, so this makes no difference and will only matter if you are
> vulnerable anyway.
>
> >   Why
> > run a port scan against a non-existent box?
>
> Why check for a ping response from a non existent box?
>
> >   It is just a waste of your
> > time.
>
> Sort of like compiling a list of live IPs for no damn good reason.
>
> >   They don't.
>
> They do.
>
> > > > It's either going to happen or not, random or targeted.
> > > > If it's random, you'll be hit and probed anyway (being an
> > > > attach or probe).  If it's not random, well, we all know the
> > > > answer.
> >
> > If they were running port scans, you might be right,
>
> They do, they are, they will. Of course some don't, some will use the
> strategy you outlined.  Those would be the less skilled, why worry.
>
> >  but again, they
> > don't until
>
> No, that's a condition you added.  Many do.  Speak specifically in terms of
> the one's that don't to make your point, don't act like none do or would--it
> happens all day, all the time, on tens of thousands of networks, in fact.
>
> >  you first let them know there is a box there to run one against.
>
> If they use the method you outlined, sure.  If they don, all bets are off.
>
> >   No box, no port scan.
>
> In your mind.
>
> >   No ping, no box to them.  On to the
> > next range.
>
> In your mind.
>
> > > > I don't see the point to that side of this debate.
> >
> > Cause you aren't trying.
>
> Oh, if you say so. :-)
>
> >   You are just insisting that the process
> > starts in the middle.
>
> No, I'm insisting that people don't have any reason to have a middle man, so
> they don't.
>
> >   It doesn't.
>
> It "do".
>
> >   It starts at the beginning and that
> > is the ping sweep.
>
> You are instant about that, for what reason, I can't imagine.  Wake up.
>
> >   If I were you, I would try to understand that side
> > seeing as how a great majority of the posters have thus far espoused
> > the same idea.
>
> No, they stated they disable it for other reasons, not because they think
> it's a good rock to hide under.  My points are true and valid.
> Some script kiddies may use that method, sure, but a lot do not.  The more
> skilled one's are the one's that do not.
>
> >   You seem to be under the impression that a kiddie's first tool is
> > his port scanner and it isn't.
>
> Well, I guess I wouldn't know, I won't argue with your experience.  I simple
> outlined mine.
>
> >   It is his ping sweeper.
>
> Well, if you say so... you have, and continue to... even though it makes no
> difference.
>
> >   THAT
> > produces the list that he uses for everything else.
>
> Sure, whatever.
>
> >   Again, not 100% of
> > the time, but 90-95% of it.
>
> I'm not sure what you mean by that, sounds like you're saying even that
> doesn't matter to the people that use that method, which seems silly.
>
>
> >   My 2 cents.  Maybe that clarifies it.
>
> Not really.  But it doesn't matter.
> --
> Tim Greer <chatmaster () charter net>
>
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
> technical IT security event.  Modeled after the famous Black Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> Symantec is the Diamond sponsor.  Early-bird registration ends September
> 6.Visit us: www.blackhat.com
> ----------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Precisely Define and Implement Network Security
>  - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> ----------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Precisely Define and Implement Network Security
>  - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------